San Francisco, June 22, 2015 – The Core Infrastructure Initiative (CII), a project managed by The Linux Foundation that enables technology companies, industry stakeholders and esteemed developers to collaboratively identify and fund critical open source projects in need of assistance, today announced financial support of nearly $500,000 for three new projects to better support critical security elements of today’s global information infrastructure. Established in 2014 in response to the Heartbleed vulnerability, more than 20 companies founded CII to fortify the security of key open source projects.

CII’s funds will support a new open source automated testing project, the Reproducible Builds initiative from Debian, and IT security researcher Hanno Böck’s Fuzzing Project. Additionally, The Linux Foundation is announcing Emily Ratliff is joining The Linux Foundation as senior director of infrastructure security for CII. Ratliff is a Linux, system and cloud security expert with more than 20 year’s experience. Most recently she worked as a security engineer for AMD and logged nearly 15 years at IBM.

“I'm excited to join the Linux Foundation and work on the Core Infrastructure Initiative because improving the security of critical open source infrastructure is a bigger problem than any one company can tackle on their own,” said Ratliff. “I’m looking forward to working with CII members to more aggressively support underfunded projects and work to change the way the industry protects and fortifies open source software.”

Reproducible Builds - For distributions like Debian and Fedora, it is essential that the machines used to build binaries distributed to users have not been compromised by unknown attackers. Reproducible builds enable anyone to reproduce bit by bit identical binary packages from a given source, thus enabling anyone to independently verify that a binary matches the source code from which it was said it was derived. Without it, even with software containing carefully audited source code, it is much harder to detect if binaries have been tampered with before they get in the hands of users.

Compiler output usually differs from one version to another. Even when reproducing the original build environment as closely as possible, specific information about the process such as date and time or ordering of files can introduce hard-to-understand variations in the build results. Enabling easy ways to record and restore a given build environment and making the compilation processes fully deterministic by removing or normalizing variations allows anyone to verify for themselves that the file they received was exactly what the developers intended.

Debian developers Holger Levsen and Jérémy Bobbio are steering a large-scale effort to eliminate unneeded variations from the build processes of thousands of free software projects, as well as provide tools to understand the source of these differences and update the infrastructure to allow developers to independently verify the authenticity of binary distributions.

Ensuring that no flaws are introduced during the build process greatly improves software security and control. This work has already made significant progress in Debian, and they are making their tools available for Fedora, Ubuntu, OpenWrt and other distributions as well. CII’s $200,000 grant will allow Levsen and Bobbio to meaningfully advance their Debian work and collaborate more closely with other distributions.

The Fuzzing Project - The fuzzing software testing technique is a powerful mechanism to identify security problems in software or computer systems. Security researcher Hanno Böck spearheads The Fuzzing Project, coordinating fuzzing efforts for open source software. Many vulnerabilities in well-known software, including several GnuPG and OpenSSL bugs reported lately, were found by Böck's effort. He will receive $60,000 from CII to continue his work finding and reporting fuzzer-related issues in open source software. He works on improving and documenting the tools and methods to automatically find large quantities of bugs in software.

False-Positive-Free Testing - Pascal Cuoq, chief scientist and co-founder of TrustInSoft, a company that uses the Frama-C platform to guarantee software has no flaws, will receive a grant to build an open source TIS Interpreter, including all the extensions necessary to support the false-positive-free operation on OpenSSL. This work is based on TIS Analyzer, a commercial software analysis tool based on Frama-C, the extensible open-source framework for source code analysis. One issue impairing TIS Analyzer's widespread adoption is that it occasionally produces false positives: it can report security errors that are actually false alarms.

Cuoq's new project supports a new flavor of TIS Analyzer named “TIS Interpreter” and a methodology that detects bugs with no false positives. Thus, any bug that is reported actually needs to be fixed. American Fuzzy Lop fuzzer will be used to automatically generate new test cases for OpenSSL from which TIS interpreter can detect bugs.

TIS Interpreter, expected to be released as open source software in early 2016, will use existing test cases to detect bugs with no false positives, which saves developers’ time. CII is investing $192,000 in this work, which combines existing technologies to test this new technique on OpenSSL, so that, if successful, it can be extended to other open source software to help developers better identify potential bugs and improve security.

“While each project we’re announcing funding for today is quite different, each is critical to our global computing infrastructure and cybersecurity. These new grants, combined with the stellar addition of Emily, mean CII is well-positioned to address critical infrastructure vulnerabilities in the months and years ahead,” said Jim Zemlin, Executive Director of The Linux Foundation. “Emily’s extensive Linux security experience and standards involvement will be a major asset to CII’s work as we move beyond point-fixes toward more holistic solutions for open source security.”

More About Emily Ratliff

As senior director of infrastructure security, Ratliff will set the direction for all CII endeavors, including managing membership growth, grant proposals and funding, and newly created CII tools and services. She brings a wealth of Linux, systems and cloud security experience to her new role. One of the first two people to work on base systems security at IBM’s Linux Technology Center, Ratliff contributed to the first Common Criteria evaluation of Linux, gaining an in-depth understanding of the risk involved when adding an open source package to a system. She has gained expertise working with open standards groups, including the Trusted Computing Group and GlobalPlatform, and has been a Certified Information Systems Security Professional since 2004.

CII accepts grant applications ongoing with priority given to underfunded open source projects that support the largest amount of infrastructure. A steering committee, which meets quarterly to review proposals, recently renewed annual grants for GnuPG, NTPd, OpenSSL, and OpenSSH to continue supporting developers and code audits. To submit a grant application or for more information, go to: http://www.linuxfoundation.org/programs/core-infrastructure-initiative.

About The Linux Foundation

The Linux Foundation is a nonprofit consortium dedicated to fostering the growth of Linux and collaborative software development. Founded in 2000, the organization sponsors the work of Linux creator Linus Torvalds and promotes, protects and advances the Linux operating system and collaborative software development by marshaling the resources of its members and the open source community. The Linux Foundation provides a neutral forum for collaboration and education by hosting Collaborative Projects, Linux conferences, including LinuxCon and generating original research and content that advances the understanding of Linux and collaborative software development. More information can be found at http://www.linuxfoundation.org.

###

The Linux Foundation, Linux Standard Base, MeeGo, Tizen and Yocto Project are trademarks of The Linux Foundation. OpenBEL is a trademark of OpenBEL Consortium. OpenDaylight is a trademark of the OpenDaylight Project, Linux is a trademark of Linus Torvalds